If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

How to trace a proxy..

I have someone that keeps trying to use a (I guess) password generator on my companies' FTP server.. He tries to log in via administrator and it seems to be trying a different password every 1-2 minute intervals... Of course it traces back to somewhere in China, so is there a way while he is trying to connect that I can trace it back to his true IP? He is actually trying as I type this.. I can of course keep blocking his IP or range and I truly need to limit the login attempts to 3-5 tries.. This is a newly set up FTP server and still working out the kinks... This might also be a different topic but I would also like to make this FTP server to appear to be invisible to the outside world, I currently have my router set to block ping requests but doesn't seem to do much good since you can go into nmap and do a -sS -v -P0 scan and find that FTP is open, how can I make it to where an nmap or any other scan will not reveal that port to be open... Mainly right now I want to track this certain IP so I can call the sys admin and let him know that this person is unlawfully trying to access my server... Thanks in advance..

so is there a way while he is trying to connect that I can trace it back to his true IP?

Not really, that is how proxy servers work, you will just see them. I strongly suspect that this will be a bot and is using a machine that is owned rather than an intentional proxy server..................do you know anything that makes you think that it is a genuine proxy?

Your only hope would be to contact the owner of the proxy as you would need to match to their logs for them to find out the connecting IP, which could in itself be a proxy.

I think that your two main problems are going to be the language barrier and the fact that most people are not keen to admit that they have been taken advantage of.

I am not sure if this is feasible but you might look at changing the administrator account name from the default, as that might cause the botware to give up and go somewhere else. I would still block the IP range etc. as Nokia suggested.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

I really appreciate your replies... The only reason I am thinking it's a genuine proxy is because I have since blocked 5 of his proxys ranging anywhere from the netherlands, U.S., to the latest being China... Once I kick him, then block him out he would come back in 10 minutes later under a different proxy... Now, I am using filezilla for an FTP server and I don't see an option to set it to not allow more than 3 login attempts... I only have the FTP accessible for 3 different user accounts because the FTP is used for 3 of my businesses under the same roof and on the same LAN.... This FTP is still in the preliminary stages so I am in still working out all the kinks... That all being said, what firewall would you all suggest, and maybe a different (more secure) FTP server, and lastly is it the firewall that you set to not allow a certain amount of login attempts?

Administrative login to the FileZilla server can be limited to a specific port. I think the default is something like 14171 or something. You can set the firewall to block that port from outside your network. That may help.

You should be able to set the login attempts on the FTP server, or the local server for the specific accounts. The firewall will help you block ports and source IPs.

Depending on what you have available for a host system, check out ZoneAlarm, or Kerio. The have personal as well as heavier duty small network firewalls, and these can help you better shape the internal network traffic.

I honestly don't know the details of this sort of stuff, but I do know that if he gets a "this account does not exist" type of message he will go away, as that tells him he now has to guess the user ID and the password.

I only have the FTP accessible for 3 different user accounts because the FTP is used for 3 of my businesses under the same roof and on the same LAN

That give me another idea. A few years ago (Win NT 4.0) I saw some software that restricted login to certain servers/applications from specific machines on the LAN.

Sorry I don't have any details and have lost my contacts where it was in use, but it might be worth checking out.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

You call the usernames whatever you want. Give each user a separate home directory and set permission on what they can do. You can restrict/allow on an ip/basis. You can even restrict via country... so you can only allow connections from IPs in the US and Canada, etc.

Check it out. There are some limitations with the free version... such as number of user accounts. No quota or speed limitations though... The version I had was the "pro" version before they released two versions. The quota and speed limitations were quite nice.

I only used it so people could upload a couple of files to me. I wasn't really hosting much. It was just something that was very quick and easy to setup. I only used it for about 6 months or so.

Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

I will describe my setup, sorry I should have before.. What I have is the following:
I have a 14 computer LAN, 2 4-port routers and 3 switches that are linked together with many fiery/scanner/plotters/copiers running... I have 2 dsl connections (one on each router).. One router has dhcp server enabled and one the dhcp server is disabled... I have a dedicated box set up for just the FTP server... All I have running on the FTP server is windows 2000, an anti-virus program and Filezilla.. I pretty much have Filezilla set up as default.. I have dsl dynamic IP service so I have 3 noip.com accounts (1 each for 3 companies) to resolve the IP from dynamic to static to the FTP server.. Set up on the FTP box I have 3 accounts set up (one for each business) and each one has a folder for each business, and inside those folders the customers can read, write, append, delete files or folders for their use... The 3 different folders each have a user name and password which are probably easily guessable since they are the name of the company... I made it that way so it would be easier on my customers... Any of the other computers on the LAN can access the FTP folders on the FTP box by typing a username and password upon getting into them... (ie. administrator = user and password).. I have norton firewall on a few of the main computers that get email but have truly never had much of a need for firewalls on the others... The only problems I have ever ran into were the people trying to get into this FTP... So I guess I am wondering how I can make my router (the one the FTP is running off of) not appear to be running an FTP server to the outside world, it is a dlink 4-port.. and how to overall secure the whole network down...

Going off your setup your FTP server should be unaccessable to the 'outside' world.

The should not be able to scan past your router and certainly should not be able to connect to it and run a password cracker against you!

Read my PM then get back to me buddy.

Until then - a quick solution would be to implement and ACL on your routers blocking traffic to port 20 & 21 try one that allows your internal ips only - which will by default block any IP not in that range.